[Privoxy-users] user-agent based forwarding action

privoxyusers2 at i.lucanops.net privoxyusers2 at i.lucanops.net
Mon Jun 19 16:28:01 UTC 2017 

Hi Beeblebrox,

On Sun, 18 Jun 2017 12:42:57 +0300
Beeblebrox <zaphod at berentweb.com> wrote:
> Hello, this should have been trivial but I'm stuck (privoxy-3.0.2).
> 
> Trying to get forwarding rule based on user-agent. I have replaced
> the user-agent string in the browser with simple "Explorer SunOS" for
> testing (no filter definitions) and edited user.action file as:
> 
> ###################
> # Crunch referrer
> { +crunch-client-header{Referer:} }
> /
> 
> # Spoof accept-language and user agent
> {+hide-accept-language{en-ca} \
> +hide-user-agent{Mozilla/5.0 (X11; U; Linux; i686; en-ca; rv:1.7)
> KHTML (like Gecko)}  } /

After writing the stuff below, I noticed this. Could the problem be
because you are trying to hide the UA, but then tag against it? How do
things go if you comment out the above line?

> 
> {-filter{demoronizer}}
> 
> # Tag every request with the User-Agent header. Client-header taggers
> are # first to be executed and can be used to control every other
> action. {+client-header-tagger{user-agent}}
> /
> 
> # Tagging doesn't change action, sections with TAG patterns do
> # Use different forwarding based on user-agent
> {+forward-override{forward-socks5 192.168.0.102:2222 .} \
> +client-header-filter{hide-tor-exit-notation} }
> TAG:^User-Agent: Explorer SunOS/
> #########################
> 
> But forwarding does not work correctly (this example for a
> country-level blocked site) Header: scan: Host: www.example.org
> Header: scan: User-Agent: Explorer SunOS
> Header: Tagger 'user-agent' added tag 'User-Agent: Explorer SunOS'.
> No action bits update necessary. Header: Modified: User-Agent:
> Mozilla/5.0 (X11; U; Linux; i686; en-ca; rv:1.7) KHTML (like Gecko)
> Header: crumble crunched: Proxy-Connection: keep-alive! Header:
> Adding: Connection: close

I do similar, but have things subtly different. My TAG: line has the
whole user agent, not ending in a slash. I know I am not good at
regexp, but I am not sure that slash is needed.


> 
> 1. I can only get forwarding to work from global setting in the
> config file so what am I missing here? Also the "forward-override"
> rule above would presumably forward everything EXCEPT traffic from
> agent "Explorer SunOS", but when I reset the browsers user-agent I
> get the same result. 

It overrides any existing forwardings (including direct, or no further
proxy). So if by default it is browser -> Privoxy -> web, then a
forward-override, when matched, will go browser -> privoxy -> proxy ->
web. (As long as the forward override isn't itself direct, or no proxy).


>2. Is it safe to use on-the-fly user-agent
> switcher/changer add-ons, if all requests go through Privoxy? I'd
> like to configure the rule so that only certain agents get
> "forward-override".
> 

I too use a user-agent switcher to pick proxies, but I don't really
consider it "safe". Just a convenience, though it does seem to work
reliably enough. From a security and privacy point of view relying on a
UA-switching hack is not good, eg cookies would gladly betray any
switching of web access IPs.

Because I have a mixture of sites and UAs in my action file I am not
sure about this, but if you set your UA and visit an HTTPS site,
Privoxy won't know the UA and the override will not apply. I think
pretty much all headers are encrypted, and so Privoxy can't know about
the UA. Please can someone say if this is wrong?

Many a site these days redirects to HTTPS, or have HTTPS CDNs for
images, CSS and scripts even if their HTML is over HTTP. UA shenanigans
might not be reliable with that.


Here's some censored guts of what I have in my user.action file.

#############
{+client-header-tagger{user-agent}}
/

{+forward-override{ forward-socks5 localhost:9050 . } \
}
.onion/*
TAG:^User-Agent: Mozilla/5\.0 \(Windows obfuscation Firefox/2\.0\.0\.6$

# Via local SSH tunnel (above seems to take priority)
{+forward-override{ forward-socks5 127.0.0.2:3128 . } \
.thepiratebay.
TAG:^User-Agent: Mozilla/5\.0 \(compatible; MSIE obfuscation$
TAG:^User-Agent: MPlayer.*$
TAG:^User-Agent: Liferea.*$
TAG:^User-Agent: wget.*$
TAG:^User-Agent: ktorrent.*$

## Via SSH tunnel to roadkill (above seems to take priority)
{+forward-override{ forward-socks5 127.0.0.4:3128 . } \
}
TAG:^User-Agent: Mozilla/5\.0 \(X11; Linux i686\) obfuscation Safari/obfuscation$
.network/*
#############


Nick

More information about the Privoxy-users mailing list